Risk Management
Risks need to be evaluated to the company’s assets. To do this, three parts are required.
- Identify all the potential risks
- Conduct a risk assessment
- Establish appropriate risk treatments
The risk identification process generally starts from the organisations asset register. The risk assessment is then conducted where the organisation should identify information security risks and determine their likelihood of an event or breach happening and what the consequences may be.
The risk treatment then follows, which is a list of controls in place to mitigate the likelihood and consequence. A selection of controls are chosen from Annex A in ISO 27001.
